webauthn 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8dd2e6fbccb0b180e0a36f4980939a1ba3a66d0cc744a7d50b140feb01917a35
-  data.tar.gz: 403281bfe63aa4ca9929bd0ca2e8cc9ff3af4ae66b21251f26118138fb355051
+  metadata.gz: 14d13c4bce35ebbe6cde4332ab9f5af2b5e0a9592fdc1fcb6d902954764ff656
+  data.tar.gz: 28f671cb2e1baeffa0f0662863867e6c12c05338fd5d4a780c2e8f6bc54344f1
 SHA512:
-  metadata.gz: 4ab428637bed52191bdee14a96a9676df44019170ffab49862bc28e84c59202f3fb8302b36fd0bc29321608352712ea18cdecbe0311dfc02a167da1b2bf1d3b5
-  data.tar.gz: cb98ae9cbfbe66804e2bea396121da2874b667b6e25ee58790195dbfd2a6b6d936cca70e50d7b9d796f2af0928c164cbdd3093987a202171f19e365bbdefd6a1
+  metadata.gz: c44f926b6046f13b9ff0b71646a8ce72ff87ac064b82cfc8e1a273889d1878567655455d874619361aa1c9906cdc06234e4e5502736c18148e3721e36c790fff
+  data.tar.gz: ac6e06366d290ef51ad1257386d3a44a0b9eae9a3fd7e4071392c73a0a1cd39784da6bf942ac984fd84d0ef2100bff4cf0dbaf83df064cc6df5f2cdffa5ddc22

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [v1.4.0] - 2018-10-11
+
+### Added
+
+- _Registration_ ceremony
+  - `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `android-safetynet` attestation statements. Thank you @bdewater!
+
 ## [v1.3.0] - 2018-10-11
 
 ### Added
@@ -78,6 +85,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v1.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.3.0...v1.4.0/
 [v1.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.2.0...v1.3.0/
 [v1.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.1.0...v1.2.0/
 [v1.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.0.0...v1.1.0/

data/lib/webauthn/attestation_statement.rb

@@ -7,6 +7,7 @@ module WebAuthn
     ATTESTATION_FORMAT_NONE = "none"
     ATTESTATION_FORMAT_FIDO_U2F = "fido-u2f"
     ATTESTATION_FORMAT_PACKED = 'packed'
+    ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
 
     def self.from(format, statement)
       case format
@@ -19,6 +20,9 @@ module WebAuthn
       when ATTESTATION_FORMAT_PACKED
         require "webauthn/attestation_statement/packed"
         WebAuthn::AttestationStatement::Packed.new(statement)
+      when ATTESTATION_FORMAT_ANDROID_SAFETYNET
+        require "webauthn/attestation_statement/android_safetynet"
+        WebAuthn::AttestationStatement::AndroidSafetynet.new(statement)
       else
         raise FormatNotSupportedError, "Unsupported attestation format '#{format}'"
       end

data/lib/webauthn/attestation_statement/android_safetynet.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "openssl"
+require "webauthn/attestation_statement/base"
+
+module WebAuthn
+  module AttestationStatement
+    # Implements https://www.w3.org/TR/2018/CR-webauthn-20180807/#android-safetynet-attestation
+    class AndroidSafetynet < Base
+      def self.default_trust_store
+        OpenSSL::X509::Store.new.tap { |trust_store| trust_store.set_default_paths }
+      end
+
+      def valid?(authenticator_data, client_data_hash, trust_store: self.class.default_trust_store)
+        trusted_attestation_certificate?(trust_store) &&
+          valid_signature? &&
+          valid_attestation_domain? &&
+          valid_version? &&
+          valid_nonce?(authenticator_data, client_data_hash) &&
+          cts_profile_match?
+      end
+
+      private
+
+      def trusted_attestation_certificate?(trust_store)
+        signing_certificates.each do |certificate|
+          trust_store.add_cert(certificate)
+        end
+        trust_store.verify(attestation_certificate)
+      end
+
+      def valid_signature?
+        signed_payload, _, base64_signature = statement["response"].rpartition(".")
+        signature = Base64.urlsafe_decode64(base64_signature)
+        attestation_certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature, signed_payload)
+      end
+
+      def valid_attestation_domain?
+        subject = attestation_certificate.subject.to_a
+        subject.assoc('CN')[1] == "attest.android.com"
+      end
+
+      # TODO: improve once the spec has clarifications https://github.com/w3c/webauthn/issues/968
+      def valid_version?
+        !statement["ver"].empty?
+      end
+
+      def valid_nonce?(authenticator_data, client_data_hash)
+        nonce = unverified_jws_result[0]["nonce"]
+        nonce == verification_data(authenticator_data, client_data_hash)
+      end
+
+      def cts_profile_match?
+        unverified_jws_result[0]["ctsProfileMatch"]
+      end
+
+      def verification_data(authenticator_data, client_data_hash)
+        Digest::SHA256.base64digest(authenticator_data.data + client_data_hash)
+      end
+
+      def attestation_certificate
+        attestation_certificate_chain[0]
+      end
+
+      def signing_certificates
+        attestation_certificate_chain[1..-1]
+      end
+
+      def attestation_certificate_chain
+        @attestation_certificate_chain ||= unverified_jws_result[1]["x5c"].map do |cert|
+          OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
+        end
+      end
+
+      def unverified_jws_result
+        @unverified_jws_result ||= JWT.decode(statement["response"], nil, false)
+      end
+    end
+  end
+end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

data/webauthn.gemspec

@@ -27,8 +27,11 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = ">= 2.4"
+
   spec.add_dependency "cbor", "~> 0.5.9.2"
   spec.add_dependency "cose", "~> 0.1.0"
+  spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
 
   spec.add_development_dependency "bundler", "~> 1.16"
   spec.add_development_dependency "byebug", "~> 10.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -39,6 +39,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -131,6 +151,7 @@ files:
 - lib/cose/ecdsa.rb
 - lib/webauthn.rb
 - lib/webauthn/attestation_statement.rb
+- lib/webauthn/attestation_statement/android_safetynet.rb
 - lib/webauthn/attestation_statement/base.rb
 - lib/webauthn/attestation_statement/fido_u2f.rb
 - lib/webauthn/attestation_statement/none.rb
@@ -160,7 +181,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -168,7 +189,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party